[realaravinth]

> I appreciate the effort towards better UX, but there are already "invisible" CAPTCHAs like Botpoison that discriminate better than this.

Interesting project, thank you for sharing! From Botpoison's website[0] under FAQ:

> Botpoison combines: > - Hashcash , a cryptographic hash-based proof-of-work algorithm. > - IP reputation checks, cross-referencing proprietary and 3rd party data sets. > - IP rate-limits. > - Session and request analysis.

Seems like it is PoW + IP rate-limits. IP rate-limits. though very effective at immediately identifying spam, it hurts folks using Tor and those behind CG-NAT[1].

And as for invisibility, CAPTCHA solves in mCaptcha have a lifetime, beyond which they are invalid. So generating PoW when the checkbox is ticked gives optimum results. But should the webmaster choose to hide, the widget, they can always choose to hook the widget to a form submit event.

[0]: https://botpoison.com/ [1]: https://en.wikipedia.org/wiki/Carrier-grade_NAT

full disclosure: I'm the author of mCaptcha

[supernes]

Thinking about it a bit more, systems like mCaptcha and Botpoison aren't really CAPTCHA in the strict sense - they solve a somewhat different problem than telling if there's a human at the other end, and IMO that's an important distinction to make (and doesn't necessarily make them inferior to other solutions.)

I still think PoW alone is not enough as it can be automated, albeit at a slower rate. Most of the time I worry more about low-volume automated submissions than high-frequency garbage. The real value is in the combination of factors, especially what BP call the "session and request analysis" and other fingerprinting solutions.

[realaravinth]

> Thinking about it a bit more, systems like mCaptcha and Botpoison aren't really CAPTCHA in the strict sense

Very true! I chose to use “captcha” because it's easier to convey what it does than, say, calling it a PoW-powered rate-limter.

> The real value is in the combination of factors, especially what BP call the "session and request analysis" and other fingerprinting solutions.

Also true. I'm not sure if it is possible to implement fingerprinting without tracking activity across the internet --- something that a privacy-focused software can't do.

I have been investigating privacy-focused, hash-based spam detection that uses peer reputation[0] but the hash-based mechanism can be broken with a slight modification to the spam text.

I would love to implement spam detection but it shouldn't compromise the visitor's privacy :)

[0]: please see "kavasam" under "Projects that I'm currently working on". I should set up a website for the project soon. https://batsense.net/about

Disclosure: author of mCaptcha.

[supernes]

Client-local fingerprinting is not inherently evil, just when you combine it with additional signals and decide to use it in violation of users' privacy. AFAIK it's the most reliable way to distinguish unique visitor agents, and under that use case it's far more respectful of personal information than an IP address.

[ivanhoe]

strictly speaking it's a rate limiter, not captcha... but frankly it's probably closer to what most ppl use captchas for these days...

[dspillett]

> and those behind CG-NAT

I'm in two minds about how I feel inconveniencing those behind CG-NAT. I don't want to punish the innocent, but the ISPs aren't going to move towards better solutions (IPv6) without a push from their paying customers, and they'll never get that push with sufficient strength if we work tirelessly to make the problem affect us and not affect those subscribers.

[2000UltraDeluxe]

In the real world, on the other hand, customers will simply conclude that one site doesn't work while others do, and that the problem must be with the one site that doesn't work.